(U//FOUO) This Assessment establishes a baseline analysis of cyber threats to the US energy sector based on comprehensive FY 2014 incident reporting data compiled by ICS-CERT, as well as reporting by the Intelligence Community (IC), private sector cybersecurity industry, and open source media between early 2011 and January 2016. This Assessment is designed to help close gaps between the private sector’s and the IC’s understanding of current cyber threats facing the US energy sector. Critical infrastructure owners and operators can use this analysis to better understand cyber threats facing the US energy sector and help focus defensive strategies and operations to mitigate these threats. The Assessment does not include an in-depth analysis of foreign cyber doctrines or nation-state red lines for conducting cyber attacks against the United States. The information cutoff date for this Assessment is January 2016.

(U) Key Judgments

(U//FOUO) We assess the threat of a damaging or disruptive cyber attack against the US energy sector is low. We judge advanced persistent threat (APT) nation-state cyber actors are targeting US energy sector enterprise networks primarily to conduct cyber espionage. The APT activity directed against sector industrial control system (ICS) networks probably is focused on acquiring and maintaining persistent access to facilitate the introduction of malware, and likely is part of nation-state contingency planning that would only be implemented to conduct a damaging or disruptive attack in the event of hostilities with the United States.

(U//FOUO) We assess the majority of malicious activity occurring against the US energy sector is low-level cybercrime that is likely opportunistic in nature rather than specifically aimed at the sector, is financially or ideologically motivated, and is not meant to be destructive.

(U//FOUO) We assess that imprecise use of the term “cyber attack” in open source media reporting and throughout the private sector has led to misperceptions about the cyber threat to the US energy sector.

(U//FOUO) We assess the threat of a damaging or disruptive cyber attack against the US energy sector is low. We judge APT nation-state cyber actors are targeting US energy sector enterprise networks primarily to conduct cyber espionage. The APT activity directed against sector ICS networks probably is focused on acquiring and maintaining persistent access to facilitate the introduction of malware, and likely is part of nation-state contingency planning that would only be implemented to conduct a damaging or disruptive attack in the event of hostilities with the United States.

…

(U//FOUO) Misperceptions about Cyber Threats in the Energy Sector

(U//FOUO) We assess imprecise use of the term “cyber attack” in open source media reporting and throughout the private sector has led to misperceptions about the cyber threat to the US energy sector. The term “cyber attack” is frequently used to refer to any cyber incident directed against the US energy sector. This overuse of the term “cyber attack” creates an unnecessarily alarmist general view of the threat to the sector. “Cyber attack”—which should denote intent to cause denial, disruption, destruction, or other negative effects—is frequently used in the private sector to describe cyber espionage, and even low-level, untargeted incidents of cybercrime. Overuse of the term “cyber attack,” risks “alarm fatigue,” which could lead to longer response times or to missing important incidents.